SG-2440 / SG-4860 appliances - A few questions…



  • I've been running i386 pfSense on old Dell PC's for years [Optiplex gx520] and they are finally starting to give out. The thing that I like about them is that they are each configured with five gigabit interfaces and one wireless interface. The dislikes are that they are VERY old –so old spares and parts are getting harder to find, they are slow (circa 2005-2006 i386 hardware), consume lots of power and are relatively massive compared to modern solutions.

    I am considering purchasing four appliances to replace the existing four appliances described above --either the SG-2440 or the SG-4860. I believe the SG-4860's hardware is very overkill for our needs however the thought of only four interfaces makes me a little uncomfortable.

    For anyone who has these running in production [understanding they may not have even shipped yet] or knows about them intimately; questions are as follows:

    1. Is it worth the $200 for the two extra interfaces?

    There is dual WANs [DOCSIS 3.0 or FiOs, retail business class] at each location and LAN and OPT1 interfaces are currently used for a total of four interfaces used. We could probably get away with only four interfaces but it makes me a little uneasy to spend that kind of money and have no spare interfaces for expansion. I also understand that both these appliances can handle orders of magnitude more bandwidth capacity than the existing appliances [Dell Optiplex gx520 pentium 4 i386] and therefore, I know I could make use of VLANs, etc. however we would still most likely use four interfaces due to limitations in our current switching hardware.

    2. How is the wireless adapter in terms of range and connectivity?

    I have heard mixed reviews however I'm not sure the opinions of the individuals who told me are reliable. If I opt to exclude a built-in wireless adapter that will most likely require use of an additional interface which puts the SG-4860 as my only option. These will be in one office location and three homes. Each location would make use of three SSID's. Is the wireless adapter robust enough to handle everything from business workloads at a small office –to a family with mobile devices, tablets, laptops, etc.

    3. Footprint/Size and Heat - What is the size (outside dimensions) of the appliances and how do they handle heat and environmental variables such as humidity?

    Is it fair to assume that the appliances are approximately 7" x 7" outside dimensions and roughly 1U tall/thick? Is there an option to attach ears to them or would the only racked option be with a shelf? With regards to heat and environment, would it be safe to assume that any environment where a home/retail router or PC can operate, and that these two appliances would perform fine? I am worried about humidity in three locations and heat in the fourth where the property management company turns off the HVAC on weekends and during off-peak hours. The IT closet can get quite hot over the weekends and the cleaning staff usually closes the door regardless of how much signage we display to please keep the door open after hours.

    4. Security - Is there any way to physically secure the devices?

    Both in terms of the enclosure and gaining access to the inside of the appliance as well as to physically secure them in place so they are not moved or stolen? I am not thinking theft however in the home office situations we have had issues before where someone's husband/wife/kid moves stuff around, knocks things over, etc. We have had situations where individuals (the kids that live at the home office locations) have gone into the old PC-based appliances for various reasons.

    Thank you for any responses. I would appreciate any alternative suggestions. If we do not go with the SG-2440 or SG-4860 I am considering either a Mikrotik+wireless AP solution or upgrading the existing production hardware to something newer. The cost may be slightly less to go Mikrotik or replace the existing hardware however the trade-offs of higher power consumption and a larger footprint equal everything out.



  • Maybe replace your old Dells with newer systems? Newegg.com and a lot of others have pretty good deals on refurbished systems, HP, Lenovo and Dell show up there often in the $100 to $150 range and come with a free Win 7 disk that you might give to a friend with an old XP system. You can possibly find similar systems without the Win 7 cheaper too. If your network cards are still supported you might keep them saving even more money.

    I really wanted a smaller box and lower power but when I looked for a real router box as a replacement for my Dell GX-110 (500 MHz Celeron) the prices were out of my range. I picked up some very nice and professionally refurbished HP-7900 small form factor systems for $129 each that worked quite well. I added some new Ethernet cards to the PCIe slots and when I found a good sale swapped the internal hard disk for a 64 GB SSD, other than that they are quite happy.

    My only caution is if buying the listed HP small form factor boxes make sure the power supply is not list HP provides for systems that won't work well on a UPS. My research has shown this is only an issue with a Revision A power supply, Revision B and later ones have no problems.

    http://h20566.www2.hp.com/hpsc/doc/public/display?sp4ts.oid=3785403&docId=emr_na-c01718939&lang=en&cc=us



  • Ya know Stan, I'll put up with a lot of crap, but you attempting to talk people out of supporting the project isn't one of them.

    Please stop.


  • LAYER 8 Netgate

    Thank you for any responses. I would appreciate any alternative suggestions.

    Just so it's clear for everyone, is it now forbidden to suggest anything not purchased from pfSense/Netgate?



  • @Derelict:

    Thank you for any responses. I would appreciate any alternative suggestions.

    Just so it's clear for everyone, is it now forbidden to suggest anything not purchased from pfSense/Netgate?

    No, but the thread is about SG-2440/SG-4860, and the thread got hijacked to suggest that buying used / refurbished gear was somehow "better".  There are a plethora of threads on the forum about where to get used / refurbished gear that will run pfSense, go post there.



  • A) I don't think that leading people away from supporting the project is good style, especially in this forum.

    B) Nobody cared to answer the questions, so here we go:

    @pf2.0nyc:

    1. Is it worth the $200 for the two extra interfaces?

    Not necessarily.
    You can use VLANs and a managed switch to create more interfaces if need be in the future.

    @pf2.0nyc:

    2. How is the wireless adapter in terms of range and connectivity?
    … Each location would make use of three SSID's...

    You will probably separate the traffic into different subnets anyway and VLANs are the best bet for this. Hence a managed switch will come handy. See above.
    Except for rare cases I try to put the AP where it is best suited (coverage wise). That's usually not where my router is located and I use an external AP.

    @pf2.0nyc:

    3. Footprint/Size and Heat - What is the size (outside dimensions) of the appliances and how do they handle heat and environmental variables such as humidity?

    quoted from the store:
    Form Factor Standard mini-ITX 170mm x 170mm
    Power Consumption 7W (idle)
    Fanless operation from 0°C to 65°C ambient temperature.

    Heat shouldn't be a problem and if it's warm in your closet you won't have condensation anyway.
    It should be ok if other equipment currently survives.

    @pf2.0nyc:

    4. Security - Is there any way to physically secure the devices?

    Feel free to attach an L-bracket and screw it wherever you like.
    This device does not have KVM so it's unlikely someone attaches a serial cable to it and starts fiddling on the console which can be password-protected.

    As far as I read the features of pfSense are superior to Mikrotik's.
    The people behind this project are great and commercial support is available if needed.
    The hardware is beefy and only consumes 7W (idle) - an APU needs 11W.
    What else can you ask for?



  • Let me take a stab at clearing things up. Hopefully I don't make things worse.

    We are a very small business of seven employees. I mis-counted. I'm actually in the market for five appliances not four. Four appliances would go into home offices and one would go into our office. The units I have priced are the SG-4860 at about $850 (with 30gb storage, wifi card and the console cable) and the SG-2440 with the same accessories coming in at about $650. Four each puts the budget at $3,250 for the SG-2440 and $4,250 for the SG-4860 appliances. Let's just call it $4,000 +/- $300 for a firewall upgrade budget which is pretty cheap for any business expense. I'd like to be paying $650 each for the SG-4860 but that's another story… It costs me more than $4,000 to fly an employee to a client for a few days.

    I'm currently running 5x Dell Optiplex GX520 i386 PCs with PCI (not PCIe, PCI) NICs and an old wireless G adapter. Nothing can be saved. They are between nine and ten years old and have worked wonderfully to this point. On the other hand, now that we are experiencing failures and reliability issues we are the helpdesk so if something breaks it either takes my time away or it means me paying an employee or an outside contractor $60-$100/hour to deal with the problem.

    I was looking at Dell Optiplex 755 Small Form Factor machines. A couple days ago a decent lot of five (5) Optiplex 755 SFF PC's just sold on eBay for $250 + $90 shipping so call it $350 all in, shipped. E6400 CPU, 4GB RAM, 160GB 5400RPM HDD (junk), CD/DVD + floppy drives (not needed).

    Mind you that's a 64W CPU, DDR2 RAM and a junk HDD. At least it's 64-bit architecture.

    By the time you put a decent HDD or SSD (or two) into the machine, rip out the CD/DVD and Floppy drives, buy adapters and replace with blank plates you are looking at an easy $80-$100. Lets call it $150 per machine or $750 all-in so far. (The blank plates and removal of drives aren't necessary but if you ever have someone else work on your stuff better to have it gone than there and disconnected to save power --ask me how I know)

    Next you need adapters. I want at least five copper interfaces plus one wireless. With this machine that means a LP quad PCIe NIC which is $75 used all day long and a decent wireless adapter is another $50 - or spend another $30-$75 on a second dual/quad nic and run proper WAP's. Either way, same ballpark money wise at about $250-$275 per machine.

    At this point I'm at roughly $250-$275 per machine... and that's a rock solid machine. Will it work - yep... It will perform great.

    Does it have a warranty?? Yep - my PayPal account.
    Does it come with a support contract?? Yep - on my dime at $60-$100/hour.
    Does it come with a SLA?? Yep - the iPhone in my pocket... or the iPhone on my nightstand that my wife loves to hear ring at 3:00am.
    Are they reliable? Yep - as reliable as the discount on the monthly invoice when I explain to the client we are discounting them this month due to service interruptions or reliability/access issues.

    They will also use a ton of power, they are big, generate a bunch of heat, are not quiet, the fans fill up with dust and need periodic cleaning, moreover --god only knows what they did in their former lives so who knows how long the PSU or mobo will truly last...

    So what I get for $275-$300 per homebrew appliance is a worry that in one month could cost me 10x the price of the five SG-4860 appliances.
    If I were to upgrade to newer PC's as I described above I wouldn't have posted this. In the grander scheme a warranty, support contract and peace of mind is worth the extra cash because one outage of a homebrew machine negates the cost savings.

    And... none of the above takes into account my time of 3-5 hours per machine to order, configure and ship to the employee... which includes another 3-5 hours (per machine) of the wife b*tching at me because computers and newegg boxes are showing up like crazy taking over my office and the garage... and this is going to be Easter Sunday so the dog poop needs to be picked up from the back yard and the lawn needs to be raked so when the kids come over after church we can do an Easter egg hunt... oh and don't forget its going to rain all day Friday and we are having people over Saturday afternoon... If it's not that it would be baseball practice, dance recitals... oh and then there is my actual job.

    We are not very much different than individual home users running pfSense due to the size of the company and what we do. When we started I went out and bought a bunch of Dell PC's on eBay configured them and shipped them to each person as they needed one. We've just outgrown that phase and are fortunate enough to be able to afford a quality top-notch solution.

    I don't mean to lay into anyone here about pfSense store vs. other vendors or pfSense hardware vs. non brand hardware and I certainly don’t mean to represent myself or my needs as being above any home user. On the other hand, I personally believe that there is an inherent conflict of interest that presents itself the minute a for-profit entity emerges from a community-based open-sourced project such as the *BSD derivatives. I’ve seen it in a few other *BSD projects and nothing good comes of it. If the project is truly open-source then the only “secret sauce” is the implementation and pairing the hardware with the software (hello Steve Jobs). When the developers of the open-source community work for or have a vested interest in the for-profit entity it hurts the community. They hold back on things like cost savings on optimal hardware, economies of scale, tricks, tips, configurations, etc. The withholding of information in an attempt to profit from that intellectual property I believe is thievery from the open-source community and undermines the open-source project as a whole. It forces an unfair monopoly which eventually destroys the open-source project or turns the overall project into a for-profit project. I believe it is fundamentally flawed –but so is capitalism. Look what happened to the housing markets. When your obligation to your shareholders is greater than to your customers it is only a matter of time until you lose customers. If the for-profit arms of open-source communities shove the for-profit mantra down the throats of the community – the community will leave and go elsewhere. When the answer is “you should have bought a service contract” or “too bad you aren’t a gold/platinum/silver/diamond level member” the community will self-destruct and pull the for-profit entity down with it.

    Enough rant. I just want to buy five firewalls and want to know I’m not going to regret the SG-4860 because I’d like them to last ~5 years in production.



  • @gonzopancho:

    Ya know Stan, I'll put up with a lot of crap, but you attempting to talk people out of supporting the project isn't one of them.

    Please stop.

    I think reusing some pre-existing hardware for a beginner or buying some refurb super cheap hardware to experiment with pfsense on will probably only lead to those same people buying good hardware from the pfsense store.  I know for me, personally, when my recycled personal boxes start failing they will almost certainly be getting replaced with hardware from the pfsense store.

    Using old stuff was low-risk and so gave me the opportunity to learn how much I like pfsense.  I do think that if you have the money and you like pfsense, the pfsense store appliances are the way to go.

    I think that when you need something that will absolutely positively work and will last and won't cost you a mint in down time, like the situations described above, I'd go straight to the pfsense store and buy there.



  • Thanks for the reply jahonix. Much appreciated. I have had a very good experience with the pfSense team over the years. The community is wonderful and I agree that supporting the project is a good thing.

    @jahonix:

    @pf2.0nyc:

    1. Is it worth the $200 for the two extra interfaces?

    @jahonix:

    Not necessarily.
    You can use VLANs and a managed switch to create more interfaces if need be in the future.

    Understood and thank you. We currently use many VLANs however our switching hardware is a very limiting factor at present. Perhaps this answers the question - the $200 for more interfaces is cheaper than spending $1,000 per location on upgraded switching hardware.

    @pf2.0nyc:

    2. How is the wireless adapter in terms of range and connectivity?
    … Each location would make use of three SSID's...

    @jahonix:

    You will probably separate the traffic into different subnets anyway and VLANs are the best bet for this. Hence a managed switch will come handy. See above.
    Except for rare cases I try to put the AP where it is best suited (coverage wise). That's usually not where my router is located and I use an external AP.

    We do that currently. Three SSID's via two VLANs on the wireless adapter. I'm wondering about range, sticky connections, how quickly it drops off, etc. This is a non-standard business situation where we have employees that work from home. They want to be on the phone (Google Voice or Skype) and be able to walk around their home. They don't need to be able to drive down the street but they should be able to get up and walk away from the AP without a drop in signal.

    If these are too new perhaps the $$ spent on a wireless adapter would be better spent on proper WAP's?? (opinions welcome)

    @pf2.0nyc:

    3. Footprint/Size and Heat - What is the size (outside dimensions) of the appliances and how do they handle heat and environmental variables such as humidity?

    @jahonix:

    quoted from the store:
    Form Factor Standard mini-ITX 170mm x 170mm
    Power Consumption 7W (idle)
    Fanless operation from 0°C to 65°C ambient temperature.

    Heat shouldn't be a problem and if it's warm in your closet you won't have condensation anyway.
    It should be ok if other equipment currently survives.

    170mm = ~6.69" which is why I said roughly 7"x7". Was looking for feedback from someone who has had hands on these things.

    Can they be rack mounted??

    @pf2.0nyc:

    4. Security - Is there any way to physically secure the devices?

    @jahonix:

    Feel free to attach an L-bracket and screw it wherever you like.
    This device does not have KVM so it's unlikely someone attaches a serial cable to it and starts fiddling on the console which can be password-protected.

    As far as I read the features of pfSense are superior to Mikrotik's.
    The people behind this project are great and commercial support is available if needed.
    The hardware is beefy and only consumes 7W (idle) - an APU needs 11W.
    What else can you ask for?

    I agree that with no KVM it's pretty safe. Hate to beat a dead horse but if you can attach L-brackets does that mean you could attach ears and rack it??

    Thanks again.


  • LAYER 8 Netgate

    I would not spend the extra $200 on 2 extra interfaces.  I'd spend the extra $200 on a managed switch.



  • yep



  • @pf2.0nyc:

    On the other hand, I personally believe that there is an inherent conflict of interest that presents itself the minute a for-profit entity emerges from a community-based open-sourced project such as the *BSD derivatives.

    FreeBSD, OpenBSD and NetBSD all have foundations that seek out donations.  These are 501©3 (or, in the case of OpenBSD, roughly the Canadian equivalent.)

    That said, I don't see the conflict of interest you assert.  Moreover, COI, by itself, is not typically a concern.  It is hidden conflict-of-interest that is a concern (and in some cases, illegal.)

    @pf2.0nyc:

    If the project is truly open-source then the only “secret sauce” is the implementation and pairing the hardware with the software (hello Steve Jobs).

    I don't think you'll find many who agree with your assertion that this is the 'secret sauce', or your example of Apple, especially Apple led by Mr. Jobs.  Note to any respondent:  I'm typing this on a Macbook.  I don't have a problem with Apple, but describing OS X or iOS as "open source" seems problematic.  To me, Open Source means that the source code is open, and licensed such that others can fork it.  By that definition, pfSense software is Open Source.

    @pf2.0nyc:

    When the developers of the open-source community work for or have a vested interest in the for-profit entity it hurts the community.

    All of the main developers of pfSense are employed by either Rubicon Communications (Netgate) or Electric Sheep Fencing.  There are also a group of people in the community who contribute, but most of the work on pfSense comes from that "coreteam".  Here is a post from last year that goes through the numbers.  https://forum.pfsense.org/index.php?topic=76140.0

    @pf2.0nyc:

    They hold back on things like cost savings on optimal hardware, economies of scale, tricks, tips, configurations, etc.

    If you wish, please provide specific examples of this occurring, so we can discuss them in public.  In some ways, capitalism, the very system you say is fundamentally flawed (below, and yes, it is flawed), serves as a blocking function for the behavior you ascribe.  If an entity seeks rents that are too high, another entity may decide that there is sufficient incentive to compete.  Since the software is Open Source, there is no effective way for the first entity to impede the second from a technical standpoint.

    @pf2.0nyc:

    I believe it is fundamentally flawed –but so is capitalism.

    As is every other political or economic system.

    @pf2.0nyc:

    Look what happened to the housing markets. When your obligation to your shareholders is greater than to your customers it is only a matter of time until you lose customers.

    Without ratholing the discussion too badly, I don't think the situation with the housing markets (I assume you're speaking of the pre-2006 housing bubble, followed by the 2007-2011 bust, and all of the financial shenanigans  that accompanied same, as well as the U.S. subprime mortgage crisis, which was caused more by consumer debt (financed by mortgage-backed securities and collateralized debt obligations such as credit default swaps) was purely driven by shareholder valuation.  The US government had a lot to do with it, since the FHA, Freddie Mac and Fanny Mae (these last two are not US government, but are government-sponsored) are all huge backers of the US mortgage market.

    @pf2.0nyc:

    When the answer is “you should have bought a service contract” or “too bad you aren’t a gold/platinum/silver/diamond level member” the community will self-destruct and pull the for-profit entity down with it.

    My objection (upthread) was that someone stepped in to derail.  We don't stop anyone from loading pfSense software on the hardware they find or source from anywhere.  We don't disable drivers for hardware we don't sell.  We provide (but do not require) paid support for hardware we do not sell, and we answer a lot of technical support questions in this forum and others.



  • @Derelict:

    I would not spend the extra $200 on 2 extra interfaces.  I'd spend the extra $200 on a managed switch.

    Let's be clear, there is more to the "extra $200" than two more Ethernet interfaces.

    First, the extra $200 is $406 - $254, or $152.

    Second, the 4860 is a quad core @ 2.4GHz board with 8GB RAM, while the 2440 is a dual core @ 1.7GHz with 4GB RAM.

    So 2X the RAM, nearly 3X the CPU if measured as cores x clock speed, and yes, two more Ethernets for a 59% increase in price.

    Agreed that if all you care about is the 2 extra interfaces, then a managed switch is a better investment.



  • Hello pf2.0nyc,

    $500 Complete appliance (SG-4860)
    $199 Includes one year of pfSense Premium Software Support (~$17 each month)
    $0.00 Installation, test

    And ready to go, because time is also money as I see it right

    It forces an unfair monopoly which eventually destroys the open-source project or turns the overall project into a for-profit project.

    Likes mOnOwall is now??? The project is OpenSource but the code writers are not living from
    love an fresh air alone! And on the other hand for code writing their is often a need for getting
    materials as development platforms and devices, but the benefit for us all is then perhaps that
    we get new things such as QuickAssist support, AES-NI support and so on. Or how many money
    did you spend for that great work until now? Nothing? But then please let them also do what
    they need to do, that this project is running liquid, please. OpenSource is free of charge but not
    free of cost, it costs the time from all the developers they spend on and time is money.

    is cheaper than spending $1,000 per location on upgraded switching hardware.

    Cisco SG300-28 - 28 Port Layer3 Switch is for ~$400

    Ubiquiti Networks UniFi AP Enterprise WiFi System UAP-3 (Pack of 3) ~$200
    And the software WiFi Controller is free of charge and runs under Linux really good!

    and pairing the hardware with the software (hello Steve Jobs).

    He made it for the crazy ones and not for the ruffians and his project is also still
    alive and no one is angry about.

    They want to be on the phone (Google Voice or Skype) and be able to walk around their home. They don't need to be able to drive down the street but they should be able to get up and walk away from the AP without a drop in signal.

    Then fast roaming on Layer2 & Layer3 is really urgent needed often, because this are
    so called real time tasks and are not forgiving some blackouts, but perhaps you are the lucky
    one owed to the circumstances that there are not so many users in the WLAN. I mostly use
    a WLAN Controller for fast roaming tasks on L2 & L3.

    They hold back on things like cost savings on optimal hardware, economies of scale, tricks, tips, configurations, etc.

    If so you will not receive an answer on your question here from them!
    What do you mean with tips and tricks? Something like activating TRIM support for SSD or mSATA
    or fine tuning the Intel NICs? It was all shown here in the forum and this is free for all to read!

    When the answer is “you should have bought a service contract” or “too bad you aren’t a gold/platinum/silver/diamond level member” the community will self-destruct and pull the for-profit entity down with it.

    If you have no support contract you can use the forum as you are doing here now and lets
    growing the community, am I right?

    The units I have priced are the SG-4860 at about $850 (with 30gb storage, wifi card and the console cable)

    So $850 for a firewall that should work for 5 years, right?

    $850 price / 5 years = $170 per each year
    $170 p. year / 12 month = ~$15 per each month
    $15p. each month / 3 family members = $5 per nose in the household
    $5 per nose / 31 days = 0.17 cent per nose in the household and day



  • pf2.0nyc, I don't get your point with Wifi, multiple SSIDs, a managed switch and the need for more physical pfSense ports.

    You already have a managed switch in place AND you are using VLANs with your Wifi AP, right?
    Why don't you feed the pfSense a VLAN trunk then and avoid the need for more physical interfaces?

    How is it set up currently?


  • LAYER 8 Netgate

    They want to be on the phone (Google Voice or Skype) and be able to walk around their home. They don't need to be able to drive down the street but they should be able to get up and walk away from the AP without a drop in signal.

    Someone needs to understand the physics of radio frequency energy.



  • @Derelict:

    They want to be on the phone (Google Voice or Skype) and be able to walk around their home. They don't need to be able to drive down the street but they should be able to get up and walk away from the AP without a drop in signal.

    Someone needs to understand the physics of radio frequency energy.

    Or all wave functions.  Light and audio also follow an inverse law.


Log in to reply